LCOV - code coverage report
Current view: top level - src/backend/libpq - auth-scram.c (source / functions) Hit Total Coverage
Test: PostgreSQL 12beta2 Lines: 266 338 78.7 %
Date: 2019-06-19 14:06:47 Functions: 17 19 89.5 %
Legend: Lines: hit not hit

          Line data    Source code
       1             : /*-------------------------------------------------------------------------
       2             :  *
       3             :  * auth-scram.c
       4             :  *    Server-side implementation of the SASL SCRAM-SHA-256 mechanism.
       5             :  *
       6             :  * See the following RFCs for more details:
       7             :  * - RFC 5802: https://tools.ietf.org/html/rfc5802
       8             :  * - RFC 5803: https://tools.ietf.org/html/rfc5803
       9             :  * - RFC 7677: https://tools.ietf.org/html/rfc7677
      10             :  *
      11             :  * Here are some differences:
      12             :  *
      13             :  * - Username from the authentication exchange is not used. The client
      14             :  *   should send an empty string as the username.
      15             :  *
      16             :  * - If the password isn't valid UTF-8, or contains characters prohibited
      17             :  *   by the SASLprep profile, we skip the SASLprep pre-processing and use
      18             :  *   the raw bytes in calculating the hash.
      19             :  *
      20             :  * - If channel binding is used, the channel binding type is always
      21             :  *   "tls-server-end-point".  The spec says the default is "tls-unique"
      22             :  *   (RFC 5802, section 6.1. Default Channel Binding), but there are some
      23             :  *   problems with that.  Firstly, not all SSL libraries provide an API to
      24             :  *   get the TLS Finished message, required to use "tls-unique".  Secondly,
      25             :  *   "tls-unique" is not specified for TLS v1.3, and as of this writing,
      26             :  *   it's not clear if there will be a replacement.  We could support both
      27             :  *   "tls-server-end-point" and "tls-unique", but for our use case,
      28             :  *   "tls-unique" doesn't really have any advantages.  The main advantage
      29             :  *   of "tls-unique" would be that it works even if the server doesn't
      30             :  *   have a certificate, but PostgreSQL requires a server certificate
      31             :  *   whenever SSL is used, anyway.
      32             :  *
      33             :  *
      34             :  * The password stored in pg_authid consists of the iteration count, salt,
      35             :  * StoredKey and ServerKey.
      36             :  *
      37             :  * SASLprep usage
      38             :  * --------------
      39             :  *
      40             :  * One notable difference to the SCRAM specification is that while the
      41             :  * specification dictates that the password is in UTF-8, and prohibits
      42             :  * certain characters, we are more lenient.  If the password isn't a valid
      43             :  * UTF-8 string, or contains prohibited characters, the raw bytes are used
      44             :  * to calculate the hash instead, without SASLprep processing.  This is
      45             :  * because PostgreSQL supports other encodings too, and the encoding being
      46             :  * used during authentication is undefined (client_encoding isn't set until
      47             :  * after authentication).  In effect, we try to interpret the password as
      48             :  * UTF-8 and apply SASLprep processing, but if it looks invalid, we assume
      49             :  * that it's in some other encoding.
      50             :  *
      51             :  * In the worst case, we misinterpret a password that's in a different
      52             :  * encoding as being Unicode, because it happens to consists entirely of
      53             :  * valid UTF-8 bytes, and we apply Unicode normalization to it.  As long
      54             :  * as we do that consistently, that will not lead to failed logins.
      55             :  * Fortunately, the UTF-8 byte sequences that are ignored by SASLprep
      56             :  * don't correspond to any commonly used characters in any of the other
      57             :  * supported encodings, so it should not lead to any significant loss in
      58             :  * entropy, even if the normalization is incorrectly applied to a
      59             :  * non-UTF-8 password.
      60             :  *
      61             :  * Error handling
      62             :  * --------------
      63             :  *
      64             :  * Don't reveal user information to an unauthenticated client.  We don't
      65             :  * want an attacker to be able to probe whether a particular username is
      66             :  * valid.  In SCRAM, the server has to read the salt and iteration count
      67             :  * from the user's password verifier, and send it to the client.  To avoid
      68             :  * revealing whether a user exists, when the client tries to authenticate
      69             :  * with a username that doesn't exist, or doesn't have a valid SCRAM
      70             :  * verifier in pg_authid, we create a fake salt and iteration count
      71             :  * on-the-fly, and proceed with the authentication with that.  In the end,
      72             :  * we'll reject the attempt, as if an incorrect password was given.  When
      73             :  * we are performing a "mock" authentication, the 'doomed' flag in
      74             :  * scram_state is set.
      75             :  *
      76             :  * In the error messages, avoid printing strings from the client, unless
      77             :  * you check that they are pure ASCII.  We don't want an unauthenticated
      78             :  * attacker to be able to spam the logs with characters that are not valid
      79             :  * to the encoding being used, whatever that is.  We cannot avoid that in
      80             :  * general, after logging in, but let's do what we can here.
      81             :  *
      82             :  *
      83             :  * Portions Copyright (c) 1996-2019, PostgreSQL Global Development Group
      84             :  * Portions Copyright (c) 1994, Regents of the University of California
      85             :  *
      86             :  * src/backend/libpq/auth-scram.c
      87             :  *
      88             :  *-------------------------------------------------------------------------
      89             :  */
      90             : #include "postgres.h"
      91             : 
      92             : #include <unistd.h>
      93             : 
      94             : #include "access/xlog.h"
      95             : #include "catalog/pg_authid.h"
      96             : #include "catalog/pg_control.h"
      97             : #include "common/base64.h"
      98             : #include "common/saslprep.h"
      99             : #include "common/scram-common.h"
     100             : #include "common/sha2.h"
     101             : #include "libpq/auth.h"
     102             : #include "libpq/crypt.h"
     103             : #include "libpq/scram.h"
     104             : #include "miscadmin.h"
     105             : #include "utils/builtins.h"
     106             : #include "utils/timestamp.h"
     107             : 
     108             : /*
     109             :  * Status data for a SCRAM authentication exchange.  This should be kept
     110             :  * internal to this file.
     111             :  */
     112             : typedef enum
     113             : {
     114             :     SCRAM_AUTH_INIT,
     115             :     SCRAM_AUTH_SALT_SENT,
     116             :     SCRAM_AUTH_FINISHED
     117             : } scram_state_enum;
     118             : 
     119             : typedef struct
     120             : {
     121             :     scram_state_enum state;
     122             : 
     123             :     const char *username;       /* username from startup packet */
     124             : 
     125             :     Port       *port;
     126             :     bool        channel_binding_in_use;
     127             : 
     128             :     int         iterations;
     129             :     char       *salt;           /* base64-encoded */
     130             :     uint8       StoredKey[SCRAM_KEY_LEN];
     131             :     uint8       ServerKey[SCRAM_KEY_LEN];
     132             : 
     133             :     /* Fields of the first message from client */
     134             :     char        cbind_flag;
     135             :     char       *client_first_message_bare;
     136             :     char       *client_username;
     137             :     char       *client_nonce;
     138             : 
     139             :     /* Fields from the last message from client */
     140             :     char       *client_final_message_without_proof;
     141             :     char       *client_final_nonce;
     142             :     char        ClientProof[SCRAM_KEY_LEN];
     143             : 
     144             :     /* Fields generated in the server */
     145             :     char       *server_first_message;
     146             :     char       *server_nonce;
     147             : 
     148             :     /*
     149             :      * If something goes wrong during the authentication, or we are performing
     150             :      * a "mock" authentication (see comments at top of file), the 'doomed'
     151             :      * flag is set.  A reason for the failure, for the server log, is put in
     152             :      * 'logdetail'.
     153             :      */
     154             :     bool        doomed;
     155             :     char       *logdetail;
     156             : } scram_state;
     157             : 
     158             : static void read_client_first_message(scram_state *state, const char *input);
     159             : static void read_client_final_message(scram_state *state, const char *input);
     160             : static char *build_server_first_message(scram_state *state);
     161             : static char *build_server_final_message(scram_state *state);
     162             : static bool verify_client_proof(scram_state *state);
     163             : static bool verify_final_nonce(scram_state *state);
     164             : static void mock_scram_verifier(const char *username, int *iterations,
     165             :                                 char **salt, uint8 *stored_key, uint8 *server_key);
     166             : static bool is_scram_printable(char *p);
     167             : static char *sanitize_char(char c);
     168             : static char *sanitize_str(const char *s);
     169             : static char *scram_mock_salt(const char *username);
     170             : 
     171             : /*
     172             :  * pg_be_scram_get_mechanisms
     173             :  *
     174             :  * Get a list of SASL mechanisms that this module supports.
     175             :  *
     176             :  * For the convenience of building the FE/BE packet that lists the
     177             :  * mechanisms, the names are appended to the given StringInfo buffer,
     178             :  * separated by '\0' bytes.
     179             :  */
     180             : void
     181          32 : pg_be_scram_get_mechanisms(Port *port, StringInfo buf)
     182             : {
     183             :     /*
     184             :      * Advertise the mechanisms in decreasing order of importance.  So the
     185             :      * channel-binding variants go first, if they are supported.  Channel
     186             :      * binding is only supported with SSL, and only if the SSL implementation
     187             :      * has a function to get the certificate's hash.
     188             :      */
     189             : #ifdef HAVE_BE_TLS_GET_CERTIFICATE_HASH
     190          32 :     if (port->ssl_in_use)
     191             :     {
     192           2 :         appendStringInfoString(buf, SCRAM_SHA_256_PLUS_NAME);
     193           2 :         appendStringInfoChar(buf, '\0');
     194             :     }
     195             : #endif
     196          32 :     appendStringInfoString(buf, SCRAM_SHA_256_NAME);
     197          32 :     appendStringInfoChar(buf, '\0');
     198          32 : }
     199             : 
     200             : /*
     201             :  * pg_be_scram_init
     202             :  *
     203             :  * Initialize a new SCRAM authentication exchange status tracker.  This
     204             :  * needs to be called before doing any exchange.  It will be filled later
     205             :  * after the beginning of the exchange with verifier data.
     206             :  *
     207             :  * 'selected_mech' identifies the SASL mechanism that the client selected.
     208             :  * It should be one of the mechanisms that we support, as returned by
     209             :  * pg_be_scram_get_mechanisms().
     210             :  *
     211             :  * 'shadow_pass' is the role's password verifier, from pg_authid.rolpassword.
     212             :  * The username was provided by the client in the startup message, and is
     213             :  * available in port->user_name.  If 'shadow_pass' is NULL, we still perform
     214             :  * an authentication exchange, but it will fail, as if an incorrect password
     215             :  * was given.
     216             :  */
     217             : void *
     218          32 : pg_be_scram_init(Port *port,
     219             :                  const char *selected_mech,
     220             :                  const char *shadow_pass)
     221             : {
     222             :     scram_state *state;
     223             :     bool        got_verifier;
     224             : 
     225          32 :     state = (scram_state *) palloc0(sizeof(scram_state));
     226          32 :     state->port = port;
     227          32 :     state->state = SCRAM_AUTH_INIT;
     228             : 
     229             :     /*
     230             :      * Parse the selected mechanism.
     231             :      *
     232             :      * Note that if we don't support channel binding, either because the SSL
     233             :      * implementation doesn't support it or we're not using SSL at all, we
     234             :      * would not have advertised the PLUS variant in the first place.  If the
     235             :      * client nevertheless tries to select it, it's a protocol violation like
     236             :      * selecting any other SASL mechanism we don't support.
     237             :      */
     238             : #ifdef HAVE_BE_TLS_GET_CERTIFICATE_HASH
     239          32 :     if (strcmp(selected_mech, SCRAM_SHA_256_PLUS_NAME) == 0 && port->ssl_in_use)
     240           2 :         state->channel_binding_in_use = true;
     241             :     else
     242             : #endif
     243          30 :     if (strcmp(selected_mech, SCRAM_SHA_256_NAME) == 0)
     244          30 :         state->channel_binding_in_use = false;
     245             :     else
     246           0 :         ereport(ERROR,
     247             :                 (errcode(ERRCODE_PROTOCOL_VIOLATION),
     248             :                  errmsg("client selected an invalid SASL authentication mechanism")));
     249             : 
     250             :     /*
     251             :      * Parse the stored password verifier.
     252             :      */
     253          32 :     if (shadow_pass)
     254             :     {
     255          32 :         int         password_type = get_password_type(shadow_pass);
     256             : 
     257          32 :         if (password_type == PASSWORD_TYPE_SCRAM_SHA_256)
     258             :         {
     259          30 :             if (parse_scram_verifier(shadow_pass, &state->iterations, &state->salt,
     260          30 :                                      state->StoredKey, state->ServerKey))
     261          30 :                 got_verifier = true;
     262             :             else
     263             :             {
     264             :                 /*
     265             :                  * The password looked like a SCRAM verifier, but could not be
     266             :                  * parsed.
     267             :                  */
     268           0 :                 ereport(LOG,
     269             :                         (errmsg("invalid SCRAM verifier for user \"%s\"",
     270             :                                 state->port->user_name)));
     271           0 :                 got_verifier = false;
     272             :             }
     273             :         }
     274             :         else
     275             :         {
     276             :             /*
     277             :              * The user doesn't have SCRAM verifier. (You cannot do SCRAM
     278             :              * authentication with an MD5 hash.)
     279             :              */
     280           2 :             state->logdetail = psprintf(_("User \"%s\" does not have a valid SCRAM verifier."),
     281           2 :                                         state->port->user_name);
     282           2 :             got_verifier = false;
     283             :         }
     284             :     }
     285             :     else
     286             :     {
     287             :         /*
     288             :          * The caller requested us to perform a dummy authentication.  This is
     289             :          * considered normal, since the caller requested it, so don't set log
     290             :          * detail.
     291             :          */
     292           0 :         got_verifier = false;
     293             :     }
     294             : 
     295             :     /*
     296             :      * If the user did not have a valid SCRAM verifier, we still go through
     297             :      * the motions with a mock one, and fail as if the client supplied an
     298             :      * incorrect password.  This is to avoid revealing information to an
     299             :      * attacker.
     300             :      */
     301          32 :     if (!got_verifier)
     302             :     {
     303           2 :         mock_scram_verifier(state->port->user_name, &state->iterations,
     304           2 :                             &state->salt, state->StoredKey, state->ServerKey);
     305           2 :         state->doomed = true;
     306             :     }
     307             : 
     308          32 :     return state;
     309             : }
     310             : 
     311             : /*
     312             :  * Continue a SCRAM authentication exchange.
     313             :  *
     314             :  * 'input' is the SCRAM payload sent by the client.  On the first call,
     315             :  * 'input' contains the "Initial Client Response" that the client sent as
     316             :  * part of the SASLInitialResponse message, or NULL if no Initial Client
     317             :  * Response was given.  (The SASL specification distinguishes between an
     318             :  * empty response and non-existing one.)  On subsequent calls, 'input'
     319             :  * cannot be NULL.  For convenience in this function, the caller must
     320             :  * ensure that there is a null terminator at input[inputlen].
     321             :  *
     322             :  * The next message to send to client is saved in 'output', for a length
     323             :  * of 'outputlen'.  In the case of an error, optionally store a palloc'd
     324             :  * string at *logdetail that will be sent to the postmaster log (but not
     325             :  * the client).
     326             :  */
     327             : int
     328          64 : pg_be_scram_exchange(void *opaq, const char *input, int inputlen,
     329             :                      char **output, int *outputlen, char **logdetail)
     330             : {
     331          64 :     scram_state *state = (scram_state *) opaq;
     332             :     int         result;
     333             : 
     334          64 :     *output = NULL;
     335             : 
     336             :     /*
     337             :      * If the client didn't include an "Initial Client Response" in the
     338             :      * SASLInitialResponse message, send an empty challenge, to which the
     339             :      * client will respond with the same data that usually comes in the
     340             :      * Initial Client Response.
     341             :      */
     342          64 :     if (input == NULL)
     343             :     {
     344             :         Assert(state->state == SCRAM_AUTH_INIT);
     345             : 
     346           0 :         *output = pstrdup("");
     347           0 :         *outputlen = 0;
     348           0 :         return SASL_EXCHANGE_CONTINUE;
     349             :     }
     350             : 
     351             :     /*
     352             :      * Check that the input length agrees with the string length of the input.
     353             :      * We can ignore inputlen after this.
     354             :      */
     355          64 :     if (inputlen == 0)
     356           0 :         ereport(ERROR,
     357             :                 (errcode(ERRCODE_PROTOCOL_VIOLATION),
     358             :                  errmsg("malformed SCRAM message"),
     359             :                  errdetail("The message is empty.")));
     360          64 :     if (inputlen != strlen(input))
     361           0 :         ereport(ERROR,
     362             :                 (errcode(ERRCODE_PROTOCOL_VIOLATION),
     363             :                  errmsg("malformed SCRAM message"),
     364             :                  errdetail("Message length does not match input length.")));
     365             : 
     366          64 :     switch (state->state)
     367             :     {
     368             :         case SCRAM_AUTH_INIT:
     369             : 
     370             :             /*
     371             :              * Initialization phase.  Receive the first message from client
     372             :              * and be sure that it parsed correctly.  Then send the challenge
     373             :              * to the client.
     374             :              */
     375          32 :             read_client_first_message(state, input);
     376             : 
     377             :             /* prepare message to send challenge */
     378          32 :             *output = build_server_first_message(state);
     379             : 
     380          32 :             state->state = SCRAM_AUTH_SALT_SENT;
     381          32 :             result = SASL_EXCHANGE_CONTINUE;
     382          32 :             break;
     383             : 
     384             :         case SCRAM_AUTH_SALT_SENT:
     385             : 
     386             :             /*
     387             :              * Final phase for the server.  Receive the response to the
     388             :              * challenge previously sent, verify, and let the client know that
     389             :              * everything went well (or not).
     390             :              */
     391          32 :             read_client_final_message(state, input);
     392             : 
     393          32 :             if (!verify_final_nonce(state))
     394           0 :                 ereport(ERROR,
     395             :                         (errcode(ERRCODE_PROTOCOL_VIOLATION),
     396             :                          errmsg("invalid SCRAM response"),
     397             :                          errdetail("Nonce does not match.")));
     398             : 
     399             :             /*
     400             :              * Now check the final nonce and the client proof.
     401             :              *
     402             :              * If we performed a "mock" authentication that we knew would fail
     403             :              * from the get go, this is where we fail.
     404             :              *
     405             :              * The SCRAM specification includes an error code,
     406             :              * "invalid-proof", for authentication failure, but it also allows
     407             :              * erroring out in an application-specific way.  We choose to do
     408             :              * the latter, so that the error message for invalid password is
     409             :              * the same for all authentication methods.  The caller will call
     410             :              * ereport(), when we return SASL_EXCHANGE_FAILURE with no output.
     411             :              *
     412             :              * NB: the order of these checks is intentional.  We calculate the
     413             :              * client proof even in a mock authentication, even though it's
     414             :              * bound to fail, to thwart timing attacks to determine if a role
     415             :              * with the given name exists or not.
     416             :              */
     417          32 :             if (!verify_client_proof(state) || state->doomed)
     418             :             {
     419          10 :                 result = SASL_EXCHANGE_FAILURE;
     420          10 :                 break;
     421             :             }
     422             : 
     423             :             /* Build final message for client */
     424          22 :             *output = build_server_final_message(state);
     425             : 
     426             :             /* Success! */
     427          22 :             result = SASL_EXCHANGE_SUCCESS;
     428          22 :             state->state = SCRAM_AUTH_FINISHED;
     429          22 :             break;
     430             : 
     431             :         default:
     432           0 :             elog(ERROR, "invalid SCRAM exchange state");
     433             :             result = SASL_EXCHANGE_FAILURE;
     434             :     }
     435             : 
     436          64 :     if (result == SASL_EXCHANGE_FAILURE && state->logdetail && logdetail)
     437           2 :         *logdetail = state->logdetail;
     438             : 
     439          64 :     if (*output)
     440          54 :         *outputlen = strlen(*output);
     441             : 
     442          64 :     return result;
     443             : }
     444             : 
     445             : /*
     446             :  * Construct a verifier string for SCRAM, stored in pg_authid.rolpassword.
     447             :  *
     448             :  * The result is palloc'd, so caller is responsible for freeing it.
     449             :  */
     450             : char *
     451          44 : pg_be_scram_build_verifier(const char *password)
     452             : {
     453             :     char       *prep_password;
     454             :     pg_saslprep_rc rc;
     455             :     char        saltbuf[SCRAM_DEFAULT_SALT_LEN];
     456             :     char       *result;
     457             : 
     458             :     /*
     459             :      * Normalize the password with SASLprep.  If that doesn't work, because
     460             :      * the password isn't valid UTF-8 or contains prohibited characters, just
     461             :      * proceed with the original password.  (See comments at top of file.)
     462             :      */
     463          44 :     rc = pg_saslprep(password, &prep_password);
     464          44 :     if (rc == SASLPREP_SUCCESS)
     465          42 :         password = (const char *) prep_password;
     466             : 
     467             :     /* Generate random salt */
     468          44 :     if (!pg_strong_random(saltbuf, SCRAM_DEFAULT_SALT_LEN))
     469           0 :         ereport(ERROR,
     470             :                 (errcode(ERRCODE_INTERNAL_ERROR),
     471             :                  errmsg("could not generate random salt")));
     472             : 
     473          44 :     result = scram_build_verifier(saltbuf, SCRAM_DEFAULT_SALT_LEN,
     474             :                                   SCRAM_DEFAULT_ITERATIONS, password);
     475             : 
     476          44 :     if (prep_password)
     477          42 :         pfree(prep_password);
     478             : 
     479          44 :     return result;
     480             : }
     481             : 
     482             : /*
     483             :  * Verify a plaintext password against a SCRAM verifier.  This is used when
     484             :  * performing plaintext password authentication for a user that has a SCRAM
     485             :  * verifier stored in pg_authid.
     486             :  */
     487             : bool
     488          14 : scram_verify_plain_password(const char *username, const char *password,
     489             :                             const char *verifier)
     490             : {
     491             :     char       *encoded_salt;
     492             :     char       *salt;
     493             :     int         saltlen;
     494             :     int         iterations;
     495             :     uint8       salted_password[SCRAM_KEY_LEN];
     496             :     uint8       stored_key[SCRAM_KEY_LEN];
     497             :     uint8       server_key[SCRAM_KEY_LEN];
     498             :     uint8       computed_key[SCRAM_KEY_LEN];
     499             :     char       *prep_password;
     500             :     pg_saslprep_rc rc;
     501             : 
     502          14 :     if (!parse_scram_verifier(verifier, &iterations, &encoded_salt,
     503             :                               stored_key, server_key))
     504             :     {
     505             :         /*
     506             :          * The password looked like a SCRAM verifier, but could not be parsed.
     507             :          */
     508           0 :         ereport(LOG,
     509             :                 (errmsg("invalid SCRAM verifier for user \"%s\"", username)));
     510           0 :         return false;
     511             :     }
     512             : 
     513          14 :     salt = palloc(pg_b64_dec_len(strlen(encoded_salt)));
     514          14 :     saltlen = pg_b64_decode(encoded_salt, strlen(encoded_salt), salt);
     515          14 :     if (saltlen == -1)
     516             :     {
     517           0 :         ereport(LOG,
     518             :                 (errmsg("invalid SCRAM verifier for user \"%s\"", username)));
     519           0 :         return false;
     520             :     }
     521             : 
     522             :     /* Normalize the password */
     523          14 :     rc = pg_saslprep(password, &prep_password);
     524          14 :     if (rc == SASLPREP_SUCCESS)
     525          14 :         password = prep_password;
     526             : 
     527             :     /* Compute Server Key based on the user-supplied plaintext password */
     528          14 :     scram_SaltedPassword(password, salt, saltlen, iterations, salted_password);
     529          14 :     scram_ServerKey(salted_password, computed_key);
     530             : 
     531          14 :     if (prep_password)
     532          14 :         pfree(prep_password);
     533             : 
     534             :     /*
     535             :      * Compare the verifier's Server Key with the one computed from the
     536             :      * user-supplied password.
     537             :      */
     538          14 :     return memcmp(computed_key, server_key, SCRAM_KEY_LEN) == 0;
     539             : }
     540             : 
     541             : 
     542             : /*
     543             :  * Parse and validate format of given SCRAM verifier.
     544             :  *
     545             :  * On success, the iteration count, salt, stored key, and server key are
     546             :  * extracted from the verifier, and returned to the caller.  For 'stored_key'
     547             :  * and 'server_key', the caller must pass pre-allocated buffers of size
     548             :  * SCRAM_KEY_LEN.  Salt is returned as a base64-encoded, null-terminated
     549             :  * string.  The buffer for the salt is palloc'd by this function.
     550             :  *
     551             :  * Returns true if the SCRAM verifier has been parsed, and false otherwise.
     552             :  */
     553             : bool
     554         274 : parse_scram_verifier(const char *verifier, int *iterations, char **salt,
     555             :                      uint8 *stored_key, uint8 *server_key)
     556             : {
     557             :     char       *v;
     558             :     char       *p;
     559             :     char       *scheme_str;
     560             :     char       *salt_str;
     561             :     char       *iterations_str;
     562             :     char       *storedkey_str;
     563             :     char       *serverkey_str;
     564             :     int         decoded_len;
     565             :     char       *decoded_salt_buf;
     566             :     char       *decoded_stored_buf;
     567             :     char       *decoded_server_buf;
     568             : 
     569             :     /*
     570             :      * The verifier is of form:
     571             :      *
     572             :      * SCRAM-SHA-256$<iterations>:<salt>$<storedkey>:<serverkey>
     573             :      */
     574         274 :     v = pstrdup(verifier);
     575         274 :     if ((scheme_str = strtok(v, "$")) == NULL)
     576           0 :         goto invalid_verifier;
     577         274 :     if ((iterations_str = strtok(NULL, ":")) == NULL)
     578         124 :         goto invalid_verifier;
     579         150 :     if ((salt_str = strtok(NULL, "$")) == NULL)
     580           8 :         goto invalid_verifier;
     581         142 :     if ((storedkey_str = strtok(NULL, ":")) == NULL)
     582           0 :         goto invalid_verifier;
     583         142 :     if ((serverkey_str = strtok(NULL, "")) == NULL)
     584           0 :         goto invalid_verifier;
     585             : 
     586             :     /* Parse the fields */
     587         142 :     if (strcmp(scheme_str, "SCRAM-SHA-256") != 0)
     588           0 :         goto invalid_verifier;
     589             : 
     590         142 :     errno = 0;
     591         142 :     *iterations = strtol(iterations_str, &p, 10);
     592         142 :     if (*p || errno != 0)
     593             :         goto invalid_verifier;
     594             : 
     595             :     /*
     596             :      * Verify that the salt is in Base64-encoded format, by decoding it,
     597             :      * although we return the encoded version to the caller.
     598             :      */
     599         142 :     decoded_salt_buf = palloc(pg_b64_dec_len(strlen(salt_str)));
     600         142 :     decoded_len = pg_b64_decode(salt_str, strlen(salt_str),
     601             :                                 decoded_salt_buf);
     602         142 :     if (decoded_len < 0)
     603           0 :         goto invalid_verifier;
     604         142 :     *salt = pstrdup(salt_str);
     605             : 
     606             :     /*
     607             :      * Decode StoredKey and ServerKey.
     608             :      */
     609         142 :     decoded_stored_buf = palloc(pg_b64_dec_len(strlen(storedkey_str)));
     610         142 :     decoded_len = pg_b64_decode(storedkey_str, strlen(storedkey_str),
     611             :                                 decoded_stored_buf);
     612         142 :     if (decoded_len != SCRAM_KEY_LEN)
     613           8 :         goto invalid_verifier;
     614         134 :     memcpy(stored_key, decoded_stored_buf, SCRAM_KEY_LEN);
     615             : 
     616         134 :     decoded_server_buf = palloc(pg_b64_dec_len(strlen(serverkey_str)));
     617         134 :     decoded_len = pg_b64_decode(serverkey_str, strlen(serverkey_str),
     618             :                                 decoded_server_buf);
     619         134 :     if (decoded_len != SCRAM_KEY_LEN)
     620           8 :         goto invalid_verifier;
     621         126 :     memcpy(server_key, decoded_server_buf, SCRAM_KEY_LEN);
     622             : 
     623         126 :     return true;
     624             : 
     625             : invalid_verifier:
     626         148 :     *salt = NULL;
     627         148 :     return false;
     628             : }
     629             : 
     630             : /*
     631             :  * Generate plausible SCRAM verifier parameters for mock authentication.
     632             :  *
     633             :  * In a normal authentication, these are extracted from the verifier
     634             :  * stored in the server.  This function generates values that look
     635             :  * realistic, for when there is no stored verifier.
     636             :  *
     637             :  * Like in parse_scram_verifier(), for 'stored_key' and 'server_key', the
     638             :  * caller must pass pre-allocated buffers of size SCRAM_KEY_LEN, and
     639             :  * the buffer for the salt is palloc'd by this function.
     640             :  */
     641             : static void
     642           2 : mock_scram_verifier(const char *username, int *iterations, char **salt,
     643             :                     uint8 *stored_key, uint8 *server_key)
     644             : {
     645             :     char       *raw_salt;
     646             :     char       *encoded_salt;
     647             :     int         encoded_len;
     648             : 
     649             :     /* Generate deterministic salt */
     650           2 :     raw_salt = scram_mock_salt(username);
     651             : 
     652           2 :     encoded_salt = (char *) palloc(pg_b64_enc_len(SCRAM_DEFAULT_SALT_LEN) + 1);
     653           2 :     encoded_len = pg_b64_encode(raw_salt, SCRAM_DEFAULT_SALT_LEN, encoded_salt);
     654           2 :     encoded_salt[encoded_len] = '\0';
     655             : 
     656           2 :     *salt = encoded_salt;
     657           2 :     *iterations = SCRAM_DEFAULT_ITERATIONS;
     658             : 
     659             :     /* StoredKey and ServerKey are not used in a doomed authentication */
     660           2 :     memset(stored_key, 0, SCRAM_KEY_LEN);
     661           2 :     memset(server_key, 0, SCRAM_KEY_LEN);
     662           2 : }
     663             : 
     664             : /*
     665             :  * Read the value in a given SCRAM exchange message for given attribute.
     666             :  */
     667             : static char *
     668         130 : read_attr_value(char **input, char attr)
     669             : {
     670         130 :     char       *begin = *input;
     671             :     char       *end;
     672             : 
     673         130 :     if (*begin != attr)
     674           0 :         ereport(ERROR,
     675             :                 (errcode(ERRCODE_PROTOCOL_VIOLATION),
     676             :                  errmsg("malformed SCRAM message"),
     677             :                  errdetail("Expected attribute \"%c\" but found \"%s\".",
     678             :                            attr, sanitize_char(*begin))));
     679         130 :     begin++;
     680             : 
     681         130 :     if (*begin != '=')
     682           0 :         ereport(ERROR,
     683             :                 (errcode(ERRCODE_PROTOCOL_VIOLATION),
     684             :                  errmsg("malformed SCRAM message"),
     685             :                  errdetail("Expected character \"=\" for attribute \"%c\".", attr)));
     686         130 :     begin++;
     687             : 
     688         130 :     end = begin;
     689        2876 :     while (*end && *end != ',')
     690        2616 :         end++;
     691             : 
     692         130 :     if (*end)
     693             :     {
     694          98 :         *end = '\0';
     695          98 :         *input = end + 1;
     696             :     }
     697             :     else
     698          32 :         *input = end;
     699             : 
     700         130 :     return begin;
     701             : }
     702             : 
     703             : static bool
     704          32 : is_scram_printable(char *p)
     705             : {
     706             :     /*------
     707             :      * Printable characters, as defined by SCRAM spec: (RFC 5802)
     708             :      *
     709             :      *  printable       = %x21-2B / %x2D-7E
     710             :      *                    ;; Printable ASCII except ",".
     711             :      *                    ;; Note that any "printable" is also
     712             :      *                    ;; a valid "value".
     713             :      *------
     714             :      */
     715         800 :     for (; *p; p++)
     716             :     {
     717         768 :         if (*p < 0x21 || *p > 0x7E || *p == 0x2C /* comma */ )
     718           0 :             return false;
     719             :     }
     720          32 :     return true;
     721             : }
     722             : 
     723             : /*
     724             :  * Convert an arbitrary byte to printable form.  For error messages.
     725             :  *
     726             :  * If it's a printable ASCII character, print it as a single character.
     727             :  * otherwise, print it in hex.
     728             :  *
     729             :  * The returned pointer points to a static buffer.
     730             :  */
     731             : static char *
     732           0 : sanitize_char(char c)
     733             : {
     734             :     static char buf[5];
     735             : 
     736           0 :     if (c >= 0x21 && c <= 0x7E)
     737           0 :         snprintf(buf, sizeof(buf), "'%c'", c);
     738             :     else
     739           0 :         snprintf(buf, sizeof(buf), "0x%02x", (unsigned char) c);
     740           0 :     return buf;
     741             : }
     742             : 
     743             : /*
     744             :  * Convert an arbitrary string to printable form, for error messages.
     745             :  *
     746             :  * Anything that's not a printable ASCII character is replaced with
     747             :  * '?', and the string is truncated at 30 characters.
     748             :  *
     749             :  * The returned pointer points to a static buffer.
     750             :  */
     751             : static char *
     752           0 : sanitize_str(const char *s)
     753             : {
     754             :     static char buf[30 + 1];
     755             :     int         i;
     756             : 
     757           0 :     for (i = 0; i < sizeof(buf) - 1; i++)
     758             :     {
     759           0 :         char        c = s[i];
     760             : 
     761           0 :         if (c == '\0')
     762           0 :             break;
     763             : 
     764           0 :         if (c >= 0x21 && c <= 0x7E)
     765           0 :             buf[i] = c;
     766             :         else
     767           0 :             buf[i] = '?';
     768             :     }
     769           0 :     buf[i] = '\0';
     770           0 :     return buf;
     771             : }
     772             : 
     773             : /*
     774             :  * Read the next attribute and value in a SCRAM exchange message.
     775             :  *
     776             :  * Returns NULL if there is attribute.
     777             :  */
     778             : static char *
     779          32 : read_any_attr(char **input, char *attr_p)
     780             : {
     781          32 :     char       *begin = *input;
     782             :     char       *end;
     783          32 :     char        attr = *begin;
     784             : 
     785             :     /*------
     786             :      * attr-val        = ALPHA "=" value
     787             :      *                   ;; Generic syntax of any attribute sent
     788             :      *                   ;; by server or client
     789             :      *------
     790             :      */
     791          32 :     if (!((attr >= 'A' && attr <= 'Z') ||
     792          32 :           (attr >= 'a' && attr <= 'z')))
     793           0 :         ereport(ERROR,
     794             :                 (errcode(ERRCODE_PROTOCOL_VIOLATION),
     795             :                  errmsg("malformed SCRAM message"),
     796             :                  errdetail("Attribute expected, but found invalid character \"%s\".",
     797             :                            sanitize_char(attr))));
     798          32 :     if (attr_p)
     799          32 :         *attr_p = attr;
     800          32 :     begin++;
     801             : 
     802          32 :     if (*begin != '=')
     803           0 :         ereport(ERROR,
     804             :                 (errcode(ERRCODE_PROTOCOL_VIOLATION),
     805             :                  errmsg("malformed SCRAM message"),
     806             :                  errdetail("Expected character \"=\" for attribute \"%c\".", attr)));
     807          32 :     begin++;
     808             : 
     809          32 :     end = begin;
     810        1472 :     while (*end && *end != ',')
     811        1408 :         end++;
     812             : 
     813          32 :     if (*end)
     814             :     {
     815           0 :         *end = '\0';
     816           0 :         *input = end + 1;
     817             :     }
     818             :     else
     819          32 :         *input = end;
     820             : 
     821          32 :     return begin;
     822             : }
     823             : 
     824             : /*
     825             :  * Read and parse the first message from client in the context of a SCRAM
     826             :  * authentication exchange message.
     827             :  *
     828             :  * At this stage, any errors will be reported directly with ereport(ERROR).
     829             :  */
     830             : static void
     831          32 : read_client_first_message(scram_state *state, const char *input)
     832             : {
     833          32 :     char       *p = pstrdup(input);
     834             :     char       *channel_binding_type;
     835             : 
     836             : 
     837             :     /*------
     838             :      * The syntax for the client-first-message is: (RFC 5802)
     839             :      *
     840             :      * saslname        = 1*(value-safe-char / "=2C" / "=3D")
     841             :      *                   ;; Conforms to <value>.
     842             :      *
     843             :      * authzid         = "a=" saslname
     844             :      *                   ;; Protocol specific.
     845             :      *
     846             :      * cb-name         = 1*(ALPHA / DIGIT / "." / "-")
     847             :      *                    ;; See RFC 5056, Section 7.
     848             :      *                    ;; E.g., "tls-server-end-point" or
     849             :      *                    ;; "tls-unique".
     850             :      *
     851             :      * gs2-cbind-flag  = ("p=" cb-name) / "n" / "y"
     852             :      *                   ;; "n" -> client doesn't support channel binding.
     853             :      *                   ;; "y" -> client does support channel binding
     854             :      *                   ;;        but thinks the server does not.
     855             :      *                   ;; "p" -> client requires channel binding.
     856             :      *                   ;; The selected channel binding follows "p=".
     857             :      *
     858             :      * gs2-header      = gs2-cbind-flag "," [ authzid ] ","
     859             :      *                   ;; GS2 header for SCRAM
     860             :      *                   ;; (the actual GS2 header includes an optional
     861             :      *                   ;; flag to indicate that the GSS mechanism is not
     862             :      *                   ;; "standard", but since SCRAM is "standard", we
     863             :      *                   ;; don't include that flag).
     864             :      *
     865             :      * username        = "n=" saslname
     866             :      *                   ;; Usernames are prepared using SASLprep.
     867             :      *
     868             :      * reserved-mext  = "m=" 1*(value-char)
     869             :      *                   ;; Reserved for signaling mandatory extensions.
     870             :      *                   ;; The exact syntax will be defined in
     871             :      *                   ;; the future.
     872             :      *
     873             :      * nonce           = "r=" c-nonce [s-nonce]
     874             :      *                   ;; Second part provided by server.
     875             :      *
     876             :      * c-nonce         = printable
     877             :      *
     878             :      * client-first-message-bare =
     879             :      *                   [reserved-mext ","]
     880             :      *                   username "," nonce ["," extensions]
     881             :      *
     882             :      * client-first-message =
     883             :      *                   gs2-header client-first-message-bare
     884             :      *
     885             :      * For example:
     886             :      * n,,n=user,r=fyko+d2lbbFgONRv9qkxdawL
     887             :      *
     888             :      * The "n,," in the beginning means that the client doesn't support
     889             :      * channel binding, and no authzid is given.  "n=user" is the username.
     890             :      * However, in PostgreSQL the username is sent in the startup packet, and
     891             :      * the username in the SCRAM exchange is ignored.  libpq always sends it
     892             :      * as an empty string.  The last part, "r=fyko+d2lbbFgONRv9qkxdawL" is
     893             :      * the client nonce.
     894             :      *------
     895             :      */
     896             : 
     897             :     /*
     898             :      * Read gs2-cbind-flag.  (For details see also RFC 5802 Section 6 "Channel
     899             :      * Binding".)
     900             :      */
     901          32 :     state->cbind_flag = *p;
     902          32 :     switch (*p)
     903             :     {
     904             :         case 'n':
     905             : 
     906             :             /*
     907             :              * The client does not support channel binding or has simply
     908             :              * decided to not use it.  In that case just let it go.
     909             :              */
     910          30 :             if (state->channel_binding_in_use)
     911           0 :                 ereport(ERROR,
     912             :                         (errcode(ERRCODE_PROTOCOL_VIOLATION),
     913             :                          errmsg("malformed SCRAM message"),
     914             :                          errdetail("The client selected SCRAM-SHA-256-PLUS, but the SCRAM message does not include channel binding data.")));
     915             : 
     916          30 :             p++;
     917          30 :             if (*p != ',')
     918           0 :                 ereport(ERROR,
     919             :                         (errcode(ERRCODE_PROTOCOL_VIOLATION),
     920             :                          errmsg("malformed SCRAM message"),
     921             :                          errdetail("Comma expected, but found character \"%s\".",
     922             :                                    sanitize_char(*p))));
     923          30 :             p++;
     924          30 :             break;
     925             :         case 'y':
     926             : 
     927             :             /*
     928             :              * The client supports channel binding and thinks that the server
     929             :              * does not.  In this case, the server must fail authentication if
     930             :              * it supports channel binding.
     931             :              */
     932           0 :             if (state->channel_binding_in_use)
     933           0 :                 ereport(ERROR,
     934             :                         (errcode(ERRCODE_PROTOCOL_VIOLATION),
     935             :                          errmsg("malformed SCRAM message"),
     936             :                          errdetail("The client selected SCRAM-SHA-256-PLUS, but the SCRAM message does not include channel binding data.")));
     937             : 
     938             : #ifdef HAVE_BE_TLS_GET_CERTIFICATE_HASH
     939           0 :             if (state->port->ssl_in_use)
     940           0 :                 ereport(ERROR,
     941             :                         (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
     942             :                          errmsg("SCRAM channel binding negotiation error"),
     943             :                          errdetail("The client supports SCRAM channel binding but thinks the server does not.  "
     944             :                                    "However, this server does support channel binding.")));
     945             : #endif
     946           0 :             p++;
     947           0 :             if (*p != ',')
     948           0 :                 ereport(ERROR,
     949             :                         (errcode(ERRCODE_PROTOCOL_VIOLATION),
     950             :                          errmsg("malformed SCRAM message"),
     951             :                          errdetail("Comma expected, but found character \"%s\".",
     952             :                                    sanitize_char(*p))));
     953           0 :             p++;
     954           0 :             break;
     955             :         case 'p':
     956             : 
     957             :             /*
     958             :              * The client requires channel binding.  Channel binding type
     959             :              * follows, e.g., "p=tls-server-end-point".
     960             :              */
     961           2 :             if (!state->channel_binding_in_use)
     962           0 :                 ereport(ERROR,
     963             :                         (errcode(ERRCODE_PROTOCOL_VIOLATION),
     964             :                          errmsg("malformed SCRAM message"),
     965             :                          errdetail("The client selected SCRAM-SHA-256 without channel binding, but the SCRAM message includes channel binding data.")));
     966             : 
     967           2 :             channel_binding_type = read_attr_value(&p, 'p');
     968             : 
     969             :             /*
     970             :              * The only channel binding type we support is
     971             :              * tls-server-end-point.
     972             :              */
     973           2 :             if (strcmp(channel_binding_type, "tls-server-end-point") != 0)
     974           0 :                 ereport(ERROR,
     975             :                         (errcode(ERRCODE_PROTOCOL_VIOLATION),
     976             :                          (errmsg("unsupported SCRAM channel-binding type \"%s\"",
     977             :                                  sanitize_str(channel_binding_type)))));
     978           2 :             break;
     979             :         default:
     980           0 :             ereport(ERROR,
     981             :                     (errcode(ERRCODE_PROTOCOL_VIOLATION),
     982             :                      errmsg("malformed SCRAM message"),
     983             :                      errdetail("Unexpected channel-binding flag \"%s\".",
     984             :                                sanitize_char(*p))));
     985             :     }
     986             : 
     987             :     /*
     988             :      * Forbid optional authzid (authorization identity).  We don't support it.
     989             :      */
     990          32 :     if (*p == 'a')
     991           0 :         ereport(ERROR,
     992             :                 (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
     993             :                  errmsg("client uses authorization identity, but it is not supported")));
     994          32 :     if (*p != ',')
     995           0 :         ereport(ERROR,
     996             :                 (errcode(ERRCODE_PROTOCOL_VIOLATION),
     997             :                  errmsg("malformed SCRAM message"),
     998             :                  errdetail("Unexpected attribute \"%s\" in client-first-message.",
     999             :                            sanitize_char(*p))));
    1000          32 :     p++;
    1001             : 
    1002          32 :     state->client_first_message_bare = pstrdup(p);
    1003             : 
    1004             :     /*
    1005             :      * Any mandatory extensions would go here.  We don't support any.
    1006             :      *
    1007             :      * RFC 5802 specifies error code "e=extensions-not-supported" for this,
    1008             :      * but it can only be sent in the server-final message.  We prefer to fail
    1009             :      * immediately (which the RFC also allows).
    1010             :      */
    1011          32 :     if (*p == 'm')
    1012           0 :         ereport(ERROR,
    1013             :                 (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
    1014             :                  errmsg("client requires an unsupported SCRAM extension")));
    1015             : 
    1016             :     /*
    1017             :      * Read username.  Note: this is ignored.  We use the username from the
    1018             :      * startup message instead, still it is kept around if provided as it
    1019             :      * proves to be useful for debugging purposes.
    1020             :      */
    1021          32 :     state->client_username = read_attr_value(&p, 'n');
    1022             : 
    1023             :     /* read nonce and check that it is made of only printable characters */
    1024          32 :     state->client_nonce = read_attr_value(&p, 'r');
    1025          32 :     if (!is_scram_printable(state->client_nonce))
    1026           0 :         ereport(ERROR,
    1027             :                 (errcode(ERRCODE_PROTOCOL_VIOLATION),
    1028             :                  errmsg("non-printable characters in SCRAM nonce")));
    1029             : 
    1030             :     /*
    1031             :      * There can be any number of optional extensions after this.  We don't
    1032             :      * support any extensions, so ignore them.
    1033             :      */
    1034          64 :     while (*p != '\0')
    1035           0 :         read_any_attr(&p, NULL);
    1036             : 
    1037             :     /* success! */
    1038          32 : }
    1039             : 
    1040             : /*
    1041             :  * Verify the final nonce contained in the last message received from
    1042             :  * client in an exchange.
    1043             :  */
    1044             : static bool
    1045          32 : verify_final_nonce(scram_state *state)
    1046             : {
    1047          32 :     int         client_nonce_len = strlen(state->client_nonce);
    1048          32 :     int         server_nonce_len = strlen(state->server_nonce);
    1049          32 :     int         final_nonce_len = strlen(state->client_final_nonce);
    1050             : 
    1051          32 :     if (final_nonce_len != client_nonce_len + server_nonce_len)
    1052           0 :         return false;
    1053          32 :     if (memcmp(state->client_final_nonce, state->client_nonce, client_nonce_len) != 0)
    1054           0 :         return false;
    1055          32 :     if (memcmp(state->client_final_nonce + client_nonce_len, state->server_nonce, server_nonce_len) != 0)
    1056           0 :         return false;
    1057             : 
    1058          32 :     return true;
    1059             : }
    1060             : 
    1061             : /*
    1062             :  * Verify the client proof contained in the last message received from
    1063             :  * client in an exchange.
    1064             :  */
    1065             : static bool
    1066          32 : verify_client_proof(scram_state *state)
    1067             : {
    1068             :     uint8       ClientSignature[SCRAM_KEY_LEN];
    1069             :     uint8       ClientKey[SCRAM_KEY_LEN];
    1070             :     uint8       client_StoredKey[SCRAM_KEY_LEN];
    1071             :     scram_HMAC_ctx ctx;
    1072             :     int         i;
    1073             : 
    1074             :     /* calculate ClientSignature */
    1075          32 :     scram_HMAC_init(&ctx, state->StoredKey, SCRAM_KEY_LEN);
    1076          64 :     scram_HMAC_update(&ctx,
    1077          32 :                       state->client_first_message_bare,
    1078          32 :                       strlen(state->client_first_message_bare));
    1079          32 :     scram_HMAC_update(&ctx, ",", 1);
    1080          64 :     scram_HMAC_update(&ctx,
    1081          32 :                       state->server_first_message,
    1082          32 :                       strlen(state->server_first_message));
    1083          32 :     scram_HMAC_update(&ctx, ",", 1);
    1084          64 :     scram_HMAC_update(&ctx,
    1085          32 :                       state->client_final_message_without_proof,
    1086          32 :                       strlen(state->client_final_message_without_proof));
    1087          32 :     scram_HMAC_final(ClientSignature, &ctx);
    1088             : 
    1089             :     /* Extract the ClientKey that the client calculated from the proof */
    1090        1056 :     for (i = 0; i < SCRAM_KEY_LEN; i++)
    1091        1024 :         ClientKey[i] = state->ClientProof[i] ^ ClientSignature[i];
    1092             : 
    1093             :     /* Hash it one more time, and compare with StoredKey */
    1094          32 :     scram_H(ClientKey, SCRAM_KEY_LEN, client_StoredKey);
    1095             : 
    1096          32 :     if (memcmp(client_StoredKey, state->StoredKey, SCRAM_KEY_LEN) != 0)
    1097          10 :         return false;
    1098             : 
    1099          22 :     return true;
    1100             : }
    1101             : 
    1102             : /*
    1103             :  * Build the first server-side message sent to the client in a SCRAM
    1104             :  * communication exchange.
    1105             :  */
    1106             : static char *
    1107          32 : build_server_first_message(scram_state *state)
    1108             : {
    1109             :     /*------
    1110             :      * The syntax for the server-first-message is: (RFC 5802)
    1111             :      *
    1112             :      * server-first-message =
    1113             :      *                   [reserved-mext ","] nonce "," salt ","
    1114             :      *                   iteration-count ["," extensions]
    1115             :      *
    1116             :      * nonce           = "r=" c-nonce [s-nonce]
    1117             :      *                   ;; Second part provided by server.
    1118             :      *
    1119             :      * c-nonce         = printable
    1120             :      *
    1121             :      * s-nonce         = printable
    1122             :      *
    1123             :      * salt            = "s=" base64
    1124             :      *
    1125             :      * iteration-count = "i=" posit-number
    1126             :      *                   ;; A positive number.
    1127             :      *
    1128             :      * Example:
    1129             :      *
    1130             :      * r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,i=4096
    1131             :      *------
    1132             :      */
    1133             : 
    1134             :     /*
    1135             :      * Per the spec, the nonce may consist of any printable ASCII characters.
    1136             :      * For convenience, however, we don't use the whole range available,
    1137             :      * rather, we generate some random bytes, and base64 encode them.
    1138             :      */
    1139             :     char        raw_nonce[SCRAM_RAW_NONCE_LEN];
    1140             :     int         encoded_len;
    1141             : 
    1142          32 :     if (!pg_strong_random(raw_nonce, SCRAM_RAW_NONCE_LEN))
    1143           0 :         ereport(ERROR,
    1144             :                 (errcode(ERRCODE_INTERNAL_ERROR),
    1145             :                  errmsg("could not generate random nonce")));
    1146             : 
    1147          32 :     state->server_nonce = palloc(pg_b64_enc_len(SCRAM_RAW_NONCE_LEN) + 1);
    1148          32 :     encoded_len = pg_b64_encode(raw_nonce, SCRAM_RAW_NONCE_LEN, state->server_nonce);
    1149          32 :     state->server_nonce[encoded_len] = '\0';
    1150             : 
    1151          32 :     state->server_first_message =
    1152          32 :         psprintf("r=%s%s,s=%s,i=%u",
    1153             :                  state->client_nonce, state->server_nonce,
    1154             :                  state->salt, state->iterations);
    1155             : 
    1156          32 :     return pstrdup(state->server_first_message);
    1157             : }
    1158             : 
    1159             : 
    1160             : /*
    1161             :  * Read and parse the final message received from client.
    1162             :  */
    1163             : static void
    1164          32 : read_client_final_message(scram_state *state, const char *input)
    1165             : {
    1166             :     char        attr;
    1167             :     char       *channel_binding;
    1168             :     char       *value;
    1169             :     char       *begin,
    1170             :                *proof;
    1171             :     char       *p;
    1172             :     char       *client_proof;
    1173             : 
    1174          32 :     begin = p = pstrdup(input);
    1175             : 
    1176             :     /*------
    1177             :      * The syntax for the server-first-message is: (RFC 5802)
    1178             :      *
    1179             :      * gs2-header      = gs2-cbind-flag "," [ authzid ] ","
    1180             :      *                   ;; GS2 header for SCRAM
    1181             :      *                   ;; (the actual GS2 header includes an optional
    1182             :      *                   ;; flag to indicate that the GSS mechanism is not
    1183             :      *                   ;; "standard", but since SCRAM is "standard", we
    1184             :      *                   ;; don't include that flag).
    1185             :      *
    1186             :      * cbind-input   = gs2-header [ cbind-data ]
    1187             :      *                   ;; cbind-data MUST be present for
    1188             :      *                   ;; gs2-cbind-flag of "p" and MUST be absent
    1189             :      *                   ;; for "y" or "n".
    1190             :      *
    1191             :      * channel-binding = "c=" base64
    1192             :      *                   ;; base64 encoding of cbind-input.
    1193             :      *
    1194             :      * proof           = "p=" base64
    1195             :      *
    1196             :      * client-final-message-without-proof =
    1197             :      *                   channel-binding "," nonce [","
    1198             :      *                   extensions]
    1199             :      *
    1200             :      * client-final-message =
    1201             :      *                   client-final-message-without-proof "," proof
    1202             :      *------
    1203             :      */
    1204             : 
    1205             :     /*
    1206             :      * Read channel binding.  This repeats the channel-binding flags and is
    1207             :      * then followed by the actual binding data depending on the type.
    1208             :      */
    1209          32 :     channel_binding = read_attr_value(&p, 'c');
    1210          32 :     if (state->channel_binding_in_use)
    1211             :     {
    1212             : #ifdef HAVE_BE_TLS_GET_CERTIFICATE_HASH
    1213           2 :         const char *cbind_data = NULL;
    1214           2 :         size_t      cbind_data_len = 0;
    1215             :         size_t      cbind_header_len;
    1216             :         char       *cbind_input;
    1217             :         size_t      cbind_input_len;
    1218             :         char       *b64_message;
    1219             :         int         b64_message_len;
    1220             : 
    1221             :         Assert(state->cbind_flag == 'p');
    1222             : 
    1223             :         /* Fetch hash data of server's SSL certificate */
    1224           2 :         cbind_data = be_tls_get_certificate_hash(state->port,
    1225             :                                                  &cbind_data_len);
    1226             : 
    1227             :         /* should not happen */
    1228           2 :         if (cbind_data == NULL || cbind_data_len == 0)
    1229           0 :             elog(ERROR, "could not get server certificate hash");
    1230             : 
    1231           2 :         cbind_header_len = strlen("p=tls-server-end-point,,");    /* p=type,, */
    1232           2 :         cbind_input_len = cbind_header_len + cbind_data_len;
    1233           2 :         cbind_input = palloc(cbind_input_len);
    1234           2 :         snprintf(cbind_input, cbind_input_len, "p=tls-server-end-point,,");
    1235           2 :         memcpy(cbind_input + cbind_header_len, cbind_data, cbind_data_len);
    1236             : 
    1237           2 :         b64_message = palloc(pg_b64_enc_len(cbind_input_len) + 1);
    1238           2 :         b64_message_len = pg_b64_encode(cbind_input, cbind_input_len,
    1239             :                                         b64_message);
    1240           2 :         b64_message[b64_message_len] = '\0';
    1241             : 
    1242             :         /*
    1243             :          * Compare the value sent by the client with the value expected by the
    1244             :          * server.
    1245             :          */
    1246           2 :         if (strcmp(channel_binding, b64_message) != 0)
    1247           0 :             ereport(ERROR,
    1248             :                     (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
    1249             :                      (errmsg("SCRAM channel binding check failed"))));
    1250             : #else
    1251             :         /* shouldn't happen, because we checked this earlier already */
    1252             :         elog(ERROR, "channel binding not supported by this build");
    1253             : #endif
    1254             :     }
    1255             :     else
    1256             :     {
    1257             :         /*
    1258             :          * If we are not using channel binding, the binding data is expected
    1259             :          * to always be "biws", which is "n,," base64-encoded, or "eSws",
    1260             :          * which is "y,,".  We also have to check whether the flag is the same
    1261             :          * one that the client originally sent.
    1262             :          */
    1263          30 :         if (!(strcmp(channel_binding, "biws") == 0 && state->cbind_flag == 'n') &&
    1264           0 :             !(strcmp(channel_binding, "eSws") == 0 && state->cbind_flag == 'y'))
    1265           0 :             ereport(ERROR,
    1266             :                     (errcode(ERRCODE_PROTOCOL_VIOLATION),
    1267             :                      (errmsg("unexpected SCRAM channel-binding attribute in client-final-message"))));
    1268             :     }
    1269             : 
    1270          32 :     state->client_final_nonce = read_attr_value(&p, 'r');
    1271             : 
    1272             :     /* ignore optional extensions */
    1273             :     do
    1274             :     {
    1275          32 :         proof = p - 1;
    1276          32 :         value = read_any_attr(&p, &attr);
    1277          32 :     } while (attr != 'p');
    1278             : 
    1279          32 :     client_proof = palloc(pg_b64_dec_len(strlen(value)));
    1280          32 :     if (pg_b64_decode(value, strlen(value), client_proof) != SCRAM_KEY_LEN)
    1281           0 :         ereport(ERROR,
    1282             :                 (errcode(ERRCODE_PROTOCOL_VIOLATION),
    1283             :                  errmsg("malformed SCRAM message"),
    1284             :                  errdetail("Malformed proof in client-final-message.")));
    1285          32 :     memcpy(state->ClientProof, client_proof, SCRAM_KEY_LEN);
    1286          32 :     pfree(client_proof);
    1287             : 
    1288          32 :     if (*p != '\0')
    1289           0 :         ereport(ERROR,
    1290             :                 (errcode(ERRCODE_PROTOCOL_VIOLATION),
    1291             :                  errmsg("malformed SCRAM message"),
    1292             :                  errdetail("Garbage found at the end of client-final-message.")));
    1293             : 
    1294          32 :     state->client_final_message_without_proof = palloc(proof - begin + 1);
    1295          32 :     memcpy(state->client_final_message_without_proof, input, proof - begin);
    1296          32 :     state->client_final_message_without_proof[proof - begin] = '\0';
    1297          32 : }
    1298             : 
    1299             : /*
    1300             :  * Build the final server-side message of an exchange.
    1301             :  */
    1302             : static char *
    1303          22 : build_server_final_message(scram_state *state)
    1304             : {
    1305             :     uint8       ServerSignature[SCRAM_KEY_LEN];
    1306             :     char       *server_signature_base64;
    1307             :     int         siglen;
    1308             :     scram_HMAC_ctx ctx;
    1309             : 
    1310             :     /* calculate ServerSignature */
    1311          22 :     scram_HMAC_init(&ctx, state->ServerKey, SCRAM_KEY_LEN);
    1312          44 :     scram_HMAC_update(&ctx,
    1313          22 :                       state->client_first_message_bare,
    1314          22 :                       strlen(state->client_first_message_bare));
    1315          22 :     scram_HMAC_update(&ctx, ",", 1);
    1316          44 :     scram_HMAC_update(&ctx,
    1317          22 :                       state->server_first_message,
    1318          22 :                       strlen(state->server_first_message));
    1319          22 :     scram_HMAC_update(&ctx, ",", 1);
    1320          44 :     scram_HMAC_update(&ctx,
    1321          22 :                       state->client_final_message_without_proof,
    1322          22 :                       strlen(state->client_final_message_without_proof));
    1323          22 :     scram_HMAC_final(ServerSignature, &ctx);
    1324             : 
    1325          22 :     server_signature_base64 = palloc(pg_b64_enc_len(SCRAM_KEY_LEN) + 1);
    1326          22 :     siglen = pg_b64_encode((const char *) ServerSignature,
    1327             :                            SCRAM_KEY_LEN, server_signature_base64);
    1328          22 :     server_signature_base64[siglen] = '\0';
    1329             : 
    1330             :     /*------
    1331             :      * The syntax for the server-final-message is: (RFC 5802)
    1332             :      *
    1333             :      * verifier        = "v=" base64
    1334             :      *                   ;; base-64 encoded ServerSignature.
    1335             :      *
    1336             :      * server-final-message = (server-error / verifier)
    1337             :      *                   ["," extensions]
    1338             :      *
    1339             :      *------
    1340             :      */
    1341          22 :     return psprintf("v=%s", server_signature_base64);
    1342             : }
    1343             : 
    1344             : 
    1345             : /*
    1346             :  * Deterministically generate salt for mock authentication, using a SHA256
    1347             :  * hash based on the username and a cluster-level secret key.  Returns a
    1348             :  * pointer to a static buffer of size SCRAM_DEFAULT_SALT_LEN.
    1349             :  */
    1350             : static char *
    1351           2 : scram_mock_salt(const char *username)
    1352             : {
    1353             :     pg_sha256_ctx ctx;
    1354             :     static uint8 sha_digest[PG_SHA256_DIGEST_LENGTH];
    1355           2 :     char       *mock_auth_nonce = GetMockAuthenticationNonce();
    1356             : 
    1357             :     /*
    1358             :      * Generate salt using a SHA256 hash of the username and the cluster's
    1359             :      * mock authentication nonce.  (This works as long as the salt length is
    1360             :      * not larger the SHA256 digest length. If the salt is smaller, the caller
    1361             :      * will just ignore the extra data.)
    1362             :      */
    1363             :     StaticAssertStmt(PG_SHA256_DIGEST_LENGTH >= SCRAM_DEFAULT_SALT_LEN,
    1364             :                      "salt length greater than SHA256 digest length");
    1365             : 
    1366           2 :     pg_sha256_init(&ctx);
    1367           2 :     pg_sha256_update(&ctx, (uint8 *) username, strlen(username));
    1368           2 :     pg_sha256_update(&ctx, (uint8 *) mock_auth_nonce, MOCK_AUTH_NONCE_LEN);
    1369           2 :     pg_sha256_final(&ctx, sha_digest);
    1370             : 
    1371           2 :     return (char *) sha_digest;
    1372             : }

Generated by: LCOV version 1.13